DigiNotar EV-enabled and new Verisign Roots
By Yngve Nysæter Pettersenyngve. Friday, May 15, 2009 1:11:52 PM
We have also added new SHA-256 roots for Verisign and its Thawte and Geotrust subsidiaries. These certificates are very new, so there are currently no testcases available.
As part of the migration away from the less secure MD5 and MD2 methods Verisign have also updated their Generation 1 Class 1 and Class 2 Root Certificates to be signed using SHA-1 instead of MD2. These certificates are only used for client certificates, not web sites, and will not usually be installed.
Verisign also updated their G1 Class 3 Root, which is used to sign web site certificates, but we have not included this certificate yet due to problems we discovered while testing it. As Verisign's "RSA Secure Server Certification Authority" Root Certificate is expiring in just a few months (early January), we have decided to not replace it.